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DETAILED ACTION 

• Applicant's amendment filed on October 6, 2008 has been entered. Applicant has 
amended claim 1 . Currently claims 1-28 are pending in this application. 
Plurality 

Response to Arguments 

1 . Applicant's arguments, see Pages 13-17, filed October 6, 2007, with respect to 
the rejection(s) of claim(s) 1-28 under U.S.C. 102(e)/ U.S.C. 103(a) have been fully 
considered and are persuasive. Therefore, the rejection has been withdrawn. 
However, upon further consideration, a new ground(s) of rejection is made in view of 
Serbinis (see rejection below). Also Note that examiner is still relying upon Leser (US 
2005/0028006) reference as a secondary reference but only for the parts that are fully 
supported by the provisional application. 

2. Applicant's arguments filed October 6, 2008 regarding rejection under 35 U.S.C. 
1 01 of claims 1 -1 3 have been fully considered but they are not persuasive for following 
reasons: 

• Regarding U.S.C. 101 of claims 1-13, applicant argues that, "Further, nn 1995, 
the Commissioner of Patents and Trademarks conceded to the U.S. Court of 
Appeals for the Federal Circuit "that computer programs embodied in a tangible 
medium, such as floppy diskettes, are patentable subject matter under 35 U.S.C. 
§ 101." See In re Beauregard, 53 F.3d 1583 (Fed. Cir. 1995). Amended claim 1 



Application/Control Number: 10/676,474 Page 3 

Art Unit: 2435 

falls within what the Commissioner of Patents and Trademarks had conceded 
was patentable subject matter." 
• In reply, examiner would like to point out that the preamble of claim 1 does not 
establish that it is a computer program embodying a policy module and an 
access manager module . The claim is for a document security system. Examiner 
would like to point out that even amended claims fail to overcome U.S.C 101 
rejection because amended claim 1 is still claiming the system consisting of two 
modules, a policy module and an access manager module which are software 
parts of the system. Simply because software module configures some hardware 
external to the system does not incorporate that hardware into the system. The 
system must have a hardware component for it to be statutory. The current 
system comprises two software modules and therefore lack any hardware 
structure and therefore, the claimed "document security system" would amount to 
computer program, a type of functional descriptive material, per se. As such, the 
claimed system must include the hardware necessary to realize any of the 
functionality of the claimed modules and produce a useful, concrete and tangible 
result. In absent recitation of such hardware as part of the claimed system, it is 
considered non-statutory. 

Claim Rejections - 35 USC § 101 
3. 35 U.S.C. 101 reads as follows: 



Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 
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The USPTO "Interim Guidelines for Examination of Patent Applications for Patent 
Subject Matter Eligibility" (Official Gazette notice of 22 November 2005), Annex IV, 
reads as follows: 

In contrast, a claimed computer-readable medium encoded with a computer program is a computer 
element which defines structural and functional interrelationships between the computer program and 
the rest of the computer which permit the computer program's functionality to be realized, and is thus 
statutory. See Lowry, 32 F.3d at 1583-84, 32 USPQ2d at 1035. 

Claims that recite nothing but the physical characteristics of a form of energy, such as a frequency, 
voltage, or the strength of a magnetic field, define energy or magnetism, per se, and as such are 
nonstatutory natural phenomena. O'Reilly, 56 U.S. (15 How.) at 112-14. Moreover, it does not appear 
that a claim reciting a signal encoded with functional descriptive material falls within any of the 
categories of patentable subject matter set forth in Sec. 101 . 

... a signal does not fall within one of the four statutory classes of Sec. 101. 

. . . signal claims are ineligible for patent protection because they do not fall within any of the four 
statutory classes of Sec. 101 . 



Claims 1-13 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter as follows. Although Claims 1-13 are 
directed towards system of providing document security system, the specification 
provides intrinsic evidence that these claims are directed towards software alone. 
System as claimed in 1-13 is nothing more then software modules, which are 
capable of performing different tasks of the claimed system. 

Claims 1-13 defines a system embodying functional descriptive material. The 
current system comprises two software modules and therefore lack any hardware 
structure and therefore, the claimed "document security system" would amount to 
computer program, a type of functional descriptive material, per se. As such, the 
claimed system must include the hardware necessary to realize any of the 
functionality of the claimed modules and produce a useful, concrete and tangible 
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result. In absent recitation of such hardware as part of the claimed system, it is 
considered non-statutory. 



Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(a) the invention was known or used by others in this country, or patented or described in a printed 
publication in this or a foreign country, before the invention thereof by the applicant for a patent. 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

(e) the invention was described in (1 ) an application for patent, published under section 1 22(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 



Claims 1-9, 11, 13-18 and 27 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Serbinis et al. (US 6,584,466 B1), hereinafter "Serbinis". 

Regarding Claim 1, Serbinis discloses a document security system for restricting 
access to secured documents (See Fig. 1-5) comprising: 

a policy module configured to enable a processor to store at least one process- 
driven security policy on a computer readable storage medium, wherein the process- 
driven security policy includes a plurality of states (see, Column 8, lines 1-20) and 
transition rules (see Column 8, lines 1-20), wherein each of the states is associated with 
one or more access restrictions (see, Column 8, lines 1-20) and wherein the transition 
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rules specify circumstances under which a secured document is to transition from one 
state to another (see Column 8, lines 1-20). 

an access manager module configured to enable a processor to access the 
process-driven security policy and determine whether access to a secured document is 
permitted by a requestor based on the policy state associated therewith at the time 
access is requested and the corresponding one or more access restrictions thereof for 
the process-driven security policy (see, Column 9, line 64- Column 10 line 5 and also 
Column 8, lines 1-20). 

Regarding Claim 2, the rejection of claim 1 is incorporated and Serbinis further 
discloses that the one or more access restrictions for the secured document are 
automatically changed when the state of the process-driven security policy for the 
secured document changes (see Column 7, lines 63-67). 

Regarding Claim 3, the rejection of claim 1 is incorporated and Serbinis further 
discloses that events cause the state of the process-driven security policy for the 
secured document to automatically transition from one state to another (see, Column 7, 
lines 63-67). 

Regarding Claim 4, the rejection of claim 3 is incorporated and Serbinis further 
discloses that the events are internal or external events with respect to the document 
security system (See, Column 7, lines 63-67). 

Regarding Claim 5, the rejection of claim 4 is incorporated and Serbinis further 
discloses that at least one of the events is an external event from a document 
management system (see Column 8, lines 26-30). 
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Regarding Claim 6, the rejection of claim 1 is incorporated and Serbinis further 
discloses that one or more of the corresponding one or more access restrictions for 
access to the secured document remain intact when the state of the process-driven 
security policy for the secured document changes (see paragraph 0123) 

Regarding Claim 7, the rejection of claim 1 is incorporated and Serbinis further 
discloses that events cause the state of the process-driven security policy to 
automatically transition from one state to another (see Column 7, lines 63-67). 

wherein the process-driven security policy includes at least a first state and a 
second state, and wherein a first event causes transition from the first state to the 
second state and a third state and second event that causes transition from the second 
state to a third state (see, Column 8, lines 1-20). 

Regarding Claim 8, the rejection of claim 1 is incorporated and Serbinis further 
discloses that events cause the state of the process-driven security policy to 
automatically transition from one state to another (see Column 7, lines 63-67). 

wherein the process-driven security policy includes at least a first state and a 
second state, and wherein a first event causes transition from the first state to the 
second state (see Column 8, lines 1-20). 

Regarding Claim 9, the rejection of claim 1 is incorporated and Serbinis further 
discloses that transition rules are based on events (see Column 8, lines 1-20). 

Regarding Claim 11, the rejection of claim 1 is incorporated and Serbinis further 
discloses that events cause the state of the process-driven security policy for the 
secured document to transition from a previous state to a current state, and wherein the 
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secured document is modified when the process-driven security policy for the secured 
document transitions from the previous state to the current state (see Column 7, lines 
63-67). 

Regarding Claim 13, the rejection of claim 11 is incorporated and Serbinis further 
discloses when permitted, access to the secured document is available at a client 
machine (see, Column 10, lines 3-4). 

Regarding Claims 14 and 27, Serbinis discloses a method and a corresponding 
software program for transitioning at least one secured document through a security- 
policy state machine having a plurality of states, the method comprising: 

(a) receiving an event (see, Column 7, lines 63-67, "the active date/time, and 
expiration date/time") 

(b) determining whether the event causes a state transition for the at least one 
secured document from a former state to a subsequent state of the security-policy state 
machine; (see, Column 7, lines 63-67, "In a preferred embodiment, documents stored in 
the DMS system are monitored by a document state process") 

(c) automatically transitioning from the former state to the subsequent state of the 
security-policy state machine when determining step (b) determines that the event 
causes the state transition (see, Column 7, lines 63-67, "In a preferred embodiment, 
documents stored in the DMS system are monitored by a document state process that 
automatically modifies the state of a document instance based on its current state, the 
active date/time, and expiration date/time.") 
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Regarding Claim 15, the rejection of claim 14 is incorporated and Serbinis further 
discloses the security-policy state machine implements a process-driven security policy, 
and wherein each state of the security-policy state machine has different access 
restrictions (see Column 8, lines 1-20). 

Regarding Claim 16, the rejection of claim 14 is incorporated and Serbinis further 
discloses each of the states of the security-policy state machine have different access 
policies (see Column 8, lines 1-20). 

Regarding Claim 17, the rejection of claim 16 is incorporated and Serbinis further 
discloses the security-policy state machine is provided as part of a document security 
system, and wherein the different access policies of the security-policy state machine 
are enforced by the document security system (See, Column 8, lines 1-20 and Column 
9, line 63- Column 10, line 5) 

Regarding Claim 18, the rejection of claim 14 is incorporated and Serbinis further 
discloses wherein the transitioning step (c) comprises modifying the secured document 
to reflect the subsequent state of the security-policy state machine (see Column 7, lines 
63-67). 



Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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Claim 10 is rejected under 35 U.S.C. 103(a) as being unpatentable over Serbinis 
in view of Li et al. (US 2004/01 9391 2 A1 ), hereinafter Li. 

Regarding Claim 10, the rejection of claim 9 is incorporated and Serbinis does 
not teach that the transition rules are written in XML. 

However, Smith et al. in the same field of endeavor of network security discloses 
writing security policies in XML format (Paragraph 0014, "In one embodiment of the 
present invention, the security policies are stored in a relational database in a native 
Extensible Markup Language (XML) format") 

Therefor, it would have been obvious at the time the invention was made to one 
of ordinary skill in the art to write the transition rules of Serbinis in XML format as taught 
by Li because XML is a text-based and platform independent, as a result policy server 
would be able to enforce and distribute the policies to all client having any type of 
operating system platform. 

Claims 12. 19 and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Serbinis in view of Dilkie et al. (US 6341 1 64). hereinafter "Dilkie". 

Regarding Claim 12, the rejection of claim 11 is incorporated and Serbinis further 
discloses that the secured document includes at least a security information portion 
(see, Column 9, lines 21-25 and Column 7, lines 33-40) and an encrypted data portion 
(see, Column 1 1 , lines 7-10) and further discloses transitioning secure document from 
the previous state to the current state (see, Column 7, lines 63-67). 
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Serbinis discloses encrypting document with the session key and require the 
retriever of the document to provide the same key to decrypt the documents. However, 
Serbinis does not explicitly discloses the security information portion including at least 
an encrypted key, and the key being encrypted must be decrypted in order to decrypt 
the encrypted data portion and wherein when the process-driven security policy for the 
secured document transitions from the previous state to the current state, the secured 
document is modified by decrypting the encrypted key and then re-encrypting the key, 
whereby the key is encrypted differently for the current state than the previous state. 

However, Dilkie discloses security information portion including at least an 
encrypted key (Column 4 lines 1-3, "A cryptographic key package may include, for 
example, a symmetric encryption key wrapped, or encrypted, with an asymmetric 
encryption key, such as a recipient's public key..."), and the key being encrypted must 
be decrypted in order to decrypt the encrypted data portion (Column 7 lines 46-50, "The 
corresponding private key (for example, signing key) is used to unwrap the 
cryptographic key package to recover a message encryption key as known in the art. 
The system may re-encrypt the key package with a different asymmetric key and/or 
algorithm as shown in block 409. The analyzer 103 may then decrypt the message data 
in any suitable manner using the message encryption key as shown in block 410".) and 
wherein when, the secured document is modified by decrypting the encrypted key and 
then re-encrypting the key, whereby the key is encrypted differently for the modified 
document (Column 7 lines 46-50, "The corresponding private key (for example, signing 
key) is used to unwrap the cryptographic key package to recover a message encryption 
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key as known in the art. The system may re-encrypt the key package with a different 
asymmetric key and/or algorithm as shown in block 409. The analyzer 103 may then 
decrypt the message data in any suitable manner using the message encryption key as 
shown in block 410".). 

Therefore, it would have been obvious at the time the invention was made to one 
of ordinary skill in the art to improve the encryption system of Serbinis by encrypting the 
session key using the public key as taught by Dikkie because it provides extra security 
and provide secure session key exchange. It would have been further obvious to modify 
the secured document of Serbinis by decrypting the encrypted key and then re- 
encrypting the key as taught by Dilkie when document transit from one state to another 
state as taught by Serbinis so that system would need to re-encrypt the "header without 
re-encrypting the file itself, thereby only changing the wrapping on the header key" 
(Dilkie, column 8, lines 19-21) 

Regarding Claim 19, the rejection of claim 14 is incorporated and Serbinis does 
not teach retrieving an encrypted file key from the secured document; decrypting, if 
permitted by the former state of the security-policy state machine, the encrypted file key 
to yield a file key; subsequently encrypting the file key in accordance with the 
subsequent state of the security-policy state machine; and storing the secured 
document, the secured document including at least an encrypted data portion and the 
subsequently encrypted file key. 

However, Dilkie discloses a method of retrieving an encrypted file key from the 
secured document; decrypting, if permitted, the encrypted file key to yield a file key; 
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subsequently encrypting the file key and storing the secured document, (column 8, lines 
11-18, "incoming message is encrypted under algorithm X with symmetric key Y 
wrapped (encrypted) with asymmetric key Z, the system may decrypt asymmetrically to 
recover the symmetric key Y, and re-encrypt the symmetric key Y with a different 
asymmetric key Z' and replace the previous cryptographic key package with the new re- 
encrypted key data forming a new cryptographic key package in the header. The 
message data with the new cryptographic key package may then be stored") the 
secured document including at least an encrypted data portion (column 4, lines 7-8, "the 
encrypted message data with the header data") and the subsequently encrypted file key 
(Column 3, lines 62-63, "The cryptographic key package information is preferably 
contained as header data") 

Therefore, it would have been obvious at the time the invention was made to one 
of ordinary skill in the art to modify the secured document by decrypting the encrypted 
key and then re-encrypting the key as taught by Dilkie when document transit from one 
state to another state as taught by Serbinis to re-encrypt the "header without re- 
encrypting the file itself, thereby only changing the wrapping on the header key" (Dilkie, 
column 8, lines 19-21) 

Regarding Claim 20, the rejection of claim 14 is incorporated and Serbinis does 
not teach a method of retrieving an encrypted file key from the secured document; 
obtaining a private state key associated with the former state of the security-policy state 
machine; decrypting the encrypted file key using the private file key; obtaining a public 
state key associated with the subsequent state of the security-policy state machine; 
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subsequently encrypting the file key in accordance with the public state key; and storing 
the secured document, the secured document including at least an encrypted data 
portion and the subsequently encrypted file key. 

However, Dilkie discloses a method of retrieving an encrypted file key from the 
secured document; obtaining a private state key associated with the former state of the 
security-policy state machine; decrypting the encrypted file key using the private file 
key; obtaining a public state key associated with the subsequent state of the security- 
policy state machine; subsequently encrypting the file key in accordance with the public 
state key; and storing the secured document, (column 8, lines 11-18, "incoming 
message is encrypted under algorithm X with symmetric key Y wrapped (encrypted) 
with asymmetric key Z, the system may decrypt asymmetrically to recover the 
symmetric key Y, and re-encrypt the symmetric key Y with a different asymmetric key Z' 
and replace the previous cryptographic key package with the new re-encrypted key data 
forming a new cryptographic key package in the header. The message data with the 
new cryptographic key package may then be stored") the secured document including 
at least an encrypted data portion (column 4, lines 7-8, "the encrypted message data 
with the header data") and the subsequently encrypted file key (Column 3, lines 62-63, 
"The cryptographic key package information is preferably contained as header data") 

Therefore, it would have been obvious at the time the invention was made to one 
of ordinary skill in the art to modify the secured document by decrypting the encrypted 
key and then re-encrypting the key as taught by Dilkie when document transit from one 
state to another state as taught by Serbinis to re-encrypt the "header without re- 
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encrypting the file itself, thereby only changing the wrapping on the header key" (column 
8, lines 19-21) 

Claims 21-26 and 28 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Serbinis in view of Leser et a\. (US 2005/0028006 A1 ), hereinafter "Leser". 

Regarding Claims 21 and 28, Serbinis discloses a method and corresponding 
computer program for imposing access restrictions on electronic documents, the 
method comprising: 

a) providing at least one process-driven security policy at a server computer, 
wherein the process-driven security policy is associated with a plurality of states and 
wherein each of the states has distinct access restriction (see, Column 8, lines 1-20); 

Serbinis does not disclose: b) providing a reference to the process-driven 
security policy to client computer, the reference referring to the process-driven security 
policy resident on the server computer and c) associating the reference to an electronic 
document. 

Leser discloses b) providing a reference to the process-driven security policy to 
client computer, the reference referring to the process-driven security policy resident on 
the server computer and c) associating the reference to an electronic document (see, 
Paragraph 0208, Note: Paragraph 0208 is fully supported by the provisional application 
at least at Page 32, lines 3-10). 

Therefore, it would have been obvious at the time the invention was made to one 
of ordinary skill in the art to cache security-policy of the system of Serbinis into the 
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user's computers thereby enabling them to generate and or use protected document 
while they are off-line. 

The combination of Serbinis and Leser further discloses 

d) transitioning the process-driven security policy from one state to a current 
state (see, Column 8, lines 1-20); and 

e) subsequently determining at the server computer whether a requestor is 
permitted to access the electronic document, the access being based on a current state 
of the process-driven security policy (see, Column 9, line 64- Column 10 line 5 and also 
Column 8, lines 1-20), the current state being informed to the server computer by 
sending the reference to the server computer (see, Leser, Paragraph 0029, Note: 
Paragraph 0029 is fully supported by the provisional application at least at Page 9, lines 
1-4). 

Regarding Claim 22, the rejection of claim 21 is incorporated and Serbinis further 
discloses wherein the transitioning step (d) is automatically performed based on events 
(see, Column 7, lines 63-67). 

Regarding Claim 23, the rejection of claim 22 is incorporated and Serbinis further 
discloses wherein the transitioning step (d) is performed at the server computer (see, 
Column 7, lines 63-67). 

Regarding Claim 24, the rejection of claim 21 is incorporated and Serbinis further 
discloses wherein the associating step (c) associates the reference to a group of 
documents (See, Column 7, lines 22-23 as modified with Leser). 
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Regarding Claim 25, the rejection of claim 21 is incorporated and Serbinis further 
discloses wherein the method pertains to a group of electronic documents, and wherein 
all of the electronic documents of the group are always in the same state of the process- 
driven security policy (See Column 7, lines 54-57, Column 10, lines 59-64 and also 
Column 3, lines 16-27). 

Regarding Claim 26, the rejection of claim 21 is incorporated and Serbinis further 
discloses evaluating the process-driven security policy of an electronic document at the 
server computer based on at least the security policy restrictions for the current state of 
the process-driven security policy for the electronic document (see Column 7, lines 63- 
67). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to YOGESH PALIWAL whose telephone number is 
(571)270-1807. The examiner can normally be reached on M-F: 7:30 AM - 5:00 PM 
EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571 ) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Y. P.I 

Examiner, Art Unit 2435 
/KimYen Vu/ 

Supervisory Patent Examiner, Art Unit 2435 



